add proper audit log for audit fetch and proper handling of api key hash in audit

Author: msukkari

packages/web/src/actions.ts

@@ -61,7 +61,7 @@ export const sew = async <T>(fn: () => Promise<T>): Promise<T | ServiceError> =>
     }
 }
 
-export const withAuth = async <T>(fn: (userId: string) => Promise<T>, allowSingleTenantUnauthedAccess: boolean = false, apiKey: ApiKeyPayload | undefined = undefined) => {
+export const withAuth = async <T>(fn: (userId: string, apiKeyHash: string | undefined) => Promise<T>, allowSingleTenantUnauthedAccess: boolean = false, apiKey: ApiKeyPayload | undefined = undefined) => {
     const session = await auth();
 
     if (!session) {
@@ -95,7 +95,7 @@ export const withAuth = async <T>(fn: (userId: string) => Promise<T>, allowSingl
                 },
             });
 
-            return fn(user.id);
+            return fn(user.id, apiKeyOrError.apiKey.hash);
         } else if (
             env.SOURCEBOT_TENANCY_MODE === 'single' &&
             allowSingleTenantUnauthedAccess &&
@@ -109,11 +109,11 @@ export const withAuth = async <T>(fn: (userId: string) => Promise<T>, allowSingl
             }
 
             // To support unauthed access a guest user is created in initialize.ts, which we return here
-            return fn(SOURCEBOT_GUEST_USER_ID);
+            return fn(SOURCEBOT_GUEST_USER_ID, undefined);
         }
         return notAuthenticated();
     }
-    return fn(session.user.id);
+    return fn(session.user.id, undefined);
 }
 
 export const orgHasAvailability = async (domain: string): Promise<boolean> => {
@@ -505,10 +505,7 @@ export const createApiKey = async (name: string, domain: string): Promise<{ key:
                     id: apiKey.hash,
                     type: "api_key"
                 },
-                orgId: org.id,
-                metadata: {
-                    api_key: name
-                }
+                orgId: org.id
             });
 
             return {
@@ -1058,15 +1055,6 @@ export const createInvites = async (emails: string[], domain: string): Promise<{
                 } satisfies ServiceError;
             }
 
-            const invites = await prisma.invite.createMany({
-                data: emails.map((email) => ({
-                    recipientEmail: email,
-                    hostUserId: userId,
-                    orgId: org.id,
-                })),
-                skipDuplicates: true,
-            });
-
             // Send invites to recipients
             if (env.SMTP_CONNECTION_URL && env.EMAIL_FROM_ADDRESS) {
                 const origin = (await headers()).get('origin')!;

packages/web/src/app/api/(server)/ee/audit/route.ts

@@ -7,7 +7,7 @@ import { serviceErrorResponse } from "@/lib/serviceError";
 import { StatusCodes } from "http-status-codes";
 import { ErrorCode } from "@/lib/errorCodes";
 import { env } from "@/env.mjs";
-import { getEntitlements } from "@/features/entitlements/server";
+import { getEntitlements } from "@sourcebot/shared";
 
 export const GET = async (request: NextRequest) => {
   const domain = request.headers.get("X-Org-Domain");
@@ -23,7 +23,7 @@ export const GET = async (request: NextRequest) => {
 
   if (env.SOURCEBOT_EE_AUDIT_LOGGING_ENABLED === 'false') {
     return serviceErrorResponse({
-      statusCode: StatusCodes.FORBIDDEN,
+      statusCode: StatusCodes.NOT_FOUND,
       errorCode: ErrorCode.NOT_FOUND,
       message: "Audit logging is not enabled",
     });
@@ -37,7 +37,7 @@ export const GET = async (request: NextRequest) => {
       message: "Audit logging is not enabled for your license",
     });
   }
-  
+
   const result = await fetchAuditRecords(domain, apiKey);
   if (isServiceError(result)) {
     return serviceErrorResponse(result);

packages/web/src/ee/features/audit/auditService.ts

@@ -1,10 +1,15 @@
 import { IAuditService, AuditEvent } from '@/ee/features/audit/types';
 import { prisma } from '@/prisma';
 import { Audit } from '@prisma/client';
+import { createLogger } from '@sourcebot/logger';
+
+const logger = createLogger('audit-service');
 
 export class AuditService implements IAuditService {
   async createAudit(event: Omit<AuditEvent, 'sourcebotVersion'>): Promise<Audit | null> {
     const sourcebotVersion = process.env.NEXT_PUBLIC_SOURCEBOT_VERSION || 'unknown';
+
+    try {
     const audit = await prisma.audit.create({
       data: {
         action: event.action,
@@ -16,8 +21,12 @@ export class AuditService implements IAuditService {
         metadata: event.metadata,
         orgId: event.orgId,
       },
-    });
+      });
 
-    return audit;
+      return audit;
+    } catch (error) {
+      logger.error(`Error creating audit event: ${error}`, { event });
+      return null;
+    }
   }
 }

packages/web/src/ee/features/audit/types.ts

@@ -16,8 +16,7 @@ export type AuditTarget = z.infer<typeof auditTargetSchema>;
 export const auditMetadataSchema = z.object({
     message: z.string().optional(),
     api_key: z.string().optional(),
-    email: z.string().optional(),
-    emails: z.string().optional(),
+    emails: z.string().optional(), // comma separated list of emails
 })
 export type AuditMetadata = z.infer<typeof auditMetadataSchema>;
 

packages/web/src/ee/features/audit/utils.ts

@@ -1,9 +1,14 @@
 import { prisma } from "@/prisma";
-import { serviceErrorResponse } from "@/lib/serviceError";
 import { ErrorCode } from "@/lib/errorCodes";
 import { StatusCodes } from "http-status-codes";
 import { sew, withAuth, withOrgMembership } from "@/actions";
 import { OrgRole } from "@sourcebot/db";
+import { createLogger } from "@sourcebot/logger";
+import { ServiceError } from "@/lib/serviceError";
+import { getAuditService } from "@/ee/features/audit/factory";
+
+const auditService = getAuditService();
+const logger = createLogger('audit-utils');
 
 export const fetchAuditRecords = async (domain: string, apiKey: string | undefined = undefined) => sew(() =>
   withAuth((userId) =>
@@ -18,14 +23,27 @@ export const fetchAuditRecords = async (domain: string, apiKey: string | undefin
           }
         });
 
+        await auditService.createAudit({
+          action: "audit.fetch",
+          actor: {
+            id: userId,
+            type: "user"
+          },
+          target: {
+            id: org.id.toString(),
+            type: "org"
+          },
+          orgId: org.id
+        })
+
         return auditRecords;
       } catch (error) {
-        console.error('Error fetching audit logs:', error);
-        return serviceErrorResponse({
-          statusCode: StatusCodes.INTERNAL_SERVER_ERROR,
-          errorCode: ErrorCode.UNEXPECTED_ERROR,
-          message: "Failed to fetch audit logs",
-        });
+        logger.error('Error fetching audit logs', { error });
+        return {
+            statusCode: StatusCodes.INTERNAL_SERVER_ERROR,
+            errorCode: ErrorCode.UNEXPECTED_ERROR,
+            message: "Failed to fetch audit logs",
+        } satisfies ServiceError;
       }
     }, /* minRequiredRole = */ OrgRole.OWNER), /* allowSingleTenantUnauthedAccess = */ true, apiKey ? { apiKey, domain } : undefined)
 );

packages/web/src/features/search/fileSourceApi.ts

@@ -15,7 +15,7 @@ import { getAuditService } from "@/ee/features/audit/factory";
 const auditService = getAuditService();
 
 export const getFileSource = async ({ fileName, repository, branch }: FileSourceRequest, domain: string, apiKey: string | undefined = undefined): Promise<FileSourceResponse | ServiceError> => sew(() =>
-    withAuth((userId) =>
+    withAuth((userId, apiKeyHash) =>
         withOrgMembership(userId, domain, async ({ org }) => {
             const escapedFileName = escapeStringRegexp(fileName);
             const escapedRepository = escapeStringRegexp(repository);
@@ -48,8 +48,8 @@ export const getFileSource = async ({ fileName, repository, branch }: FileSource
             await auditService.createAudit({
                 action: "query.file_source",
                 actor: {
-                    id: apiKey ? apiKey : userId,
-                    type: apiKey ? "api_key" : "user"
+                    id: apiKeyHash ?? userId,
+                    type: apiKeyHash ? "api_key" : "user"
                 },
                 orgId: org.id,
                 target: {

packages/web/src/features/search/listReposApi.ts

@@ -9,7 +9,7 @@ import { getAuditService } from "@/ee/features/audit/factory";
 const auditService = getAuditService();
 
 export const listRepositories = async (domain: string, apiKey: string | undefined = undefined): Promise<ListRepositoriesResponse | ServiceError> => sew(() =>
-    withAuth((userId) =>
+    withAuth((userId, apiKeyHash) =>
         withOrgMembership(userId, domain, async ({ org }) => {
             const body = JSON.stringify({
                 opts: {
@@ -50,8 +50,8 @@ export const listRepositories = async (domain: string, apiKey: string | undefine
             await auditService.createAudit({
                 action: "query.list_repositories",
                 actor: {
-                    id: apiKey ? apiKey : userId,
-                    type: apiKey ? "api_key" : "user"
+                    id: apiKeyHash ?? userId,
+                    type: apiKeyHash ? "api_key" : "user"
                 },
                 target: {
                     id: org.id.toString(),

packages/web/src/features/search/searchApi.ts

@@ -128,7 +128,7 @@ const getFileWebUrl = (template: string, branch: string, fileName: string): stri
 }
 
 export const search = async ({ query, matches, contextLines, whole }: SearchRequest, domain: string, apiKey: string | undefined = undefined) => sew(() =>
-    withAuth((userId) =>
+    withAuth((userId, apiKeyHash) =>
         withOrgMembership(userId, domain, async ({ org }) => {
             const transformedQuery = await transformZoektQuery(query, org.id);
             if (isServiceError(transformedQuery)) {
@@ -304,8 +304,8 @@ export const search = async ({ query, matches, contextLines, whole }: SearchRequ
                 await auditService.createAudit({
                     action: "query.code_search",
                     actor: {
-                        id: apiKey ? apiKey : userId,
-                        type: apiKey ? "api_key" : "user"
+                        id: apiKeyHash ?? userId,
+                        type: apiKeyHash ? "api_key" : "user"
                     },
                     target: {
                         id: org.id.toString(),